b'       Management Letter \n\n    Related to the Audit of the \n\n Broadcasting Board of Governors \n\n2012 and 2011 Financial Statements \n\n\n\n    AUD-FM-IB-13-13, February 2013\n\n\n\n\n          Clarke Leiper, PLLC\n       Certified Public Accountants\n          6265 Franconia Road\n       Alexandria, Virginia 22310\n\x0c                                                     November 16, 2012\n\nTo the Chief Financial Officer\nBroadcasting Board of Governors:\nWe (Clarke Leiper, PLLC) have audited the consolidated financial statements of the\nBroadcasting Board of Governors (BBG) as of and for the years ended September 30, 2012 and\n2011, and have issued our report thereon dated November 16, 2012 (Independent Auditor\xe2\x80\x99s\nReport on the Broadcasting Board of Governors 2012 and 2011 Financial Statements, AUD-\nFM-IB-13-12, Nov. 2012). In planning and performing our audit of the BBG financial\nstatements, we considered BBG\xe2\x80\x99s internal control over financial reporting and compliance to\ndetermine our auditing procedures for the purpose of expressing an opinion on the financial\nstatements and not to provide assurance on internal control. Accordingly, we do not express an\nopinion on the effectiveness of internal control related to financial reporting and compliance.\nWe have not considered internal control since the date of our report.\nDuring our audit, we noted certain matters involving internal control over financial reporting and\ncompliance that we considered to be significant deficiencies under the standards established by\nthe American Institute of Certified Public Accountants. We reported those deficiencies in the\nreport referenced.\nOur audit procedures were designed primarily to enable us to form an opinion on the financial\nstatements and therefore may not identify all internal control weaknesses that may exist.\nHowever, we would like to take this opportunity to use the knowledge we gained during the\naudit of BBG to provide comments and suggestions that we hope will be useful.\nAlthough not considered to be significant deficiencies, we noted certain matters involving\ninternal control and other operational matters that are presented in Appendix A for your\nconsideration. These observations are intended to improve BBG\xe2\x80\x99s internal control or result in\nother operating efficiencies.\n\nThis letter is intended solely for the information and use of BBG officials and the Office of\nInspector General and is not intended to be, and should not be, used by anyone other than these\nspecified parties.\n\nComments by BBG management on this report are presented as Appendix B.\n\nVery truly yours,\n\n\n\nClarke Leiper, PLLC\n\x0c                                                                                       Appendix A\n\n\n                               Management Letter Related to the \n\n                         Audit of the Broadcasting Board of Governors \n\n                             2012 and 2011 Financial Statements \n\n\n                                 Observations and Conclusions\n\n\n1. Personal Services Contractors Employment Taxes\n\nDuring FY 2012, the Internal Revenue Service (IRS) was conducting an examination of the\nBroadcasting Board of Governors (BBG) Employment Tax Returns to determine whether some\nor all of BBG\xe2\x80\x99s independent contractors should be classified as employees. If considered\nemployees for tax purposes, BBG would be liable for employment taxes. As of September 30,\n2012, the IRS was in the process of reviewing the working relationships between BBG and\napproximately 800 contractors.\n\nIRS Publication 15-A, \xe2\x80\x9cEmployer\xe2\x80\x99s Supplemental Tax Guide,\xe2\x80\x9d states the following:\n\n       Under common-law rules, anyone who performs services for you is your\n       employee if you have the right to control what will be done and how it will be\n       done. This is so even when you give the employee freedom of action. What\n       matters is that you have the right to control the details of how the services are\n       performed.\n\n       If you have an employer-employee relationship, it makes no difference how it is\n       labeled. The substance of the relationship, not the label, governs the worker\xe2\x80\x99s\n       status. It does not matter whether the individual is employed full time or part\n       time.\n\nThe publication further states, \xe2\x80\x9cIf you classify an employee as an independent contractor and you\nhave no reasonable basis for doing so, you are liable for employment taxes for that worker . . . .\xe2\x80\x9d\n\nBBG was unaware that certain independent contractors may be considered employees or that\nBBG may have the responsibility for withholding taxes for these contractors. Pending the final\nresults of the IRS examination, BBG may have a liability to the IRS for unpaid employment\ntaxes. As of September 30, 2012, the IRS had not completed its examination and a potential\nliability had not been determined. BBG did not have sufficient information to estimate the\npotential liability.\n\nWe recommend that the Broadcasting Board of Governors (BBG) take action to address any\nrecommendations received from the Internal Revenue Service. Additionally, if the Internal\nRevenue Service determines that an employer-employee relationship exists between BBG and the\ncontractors, we recommend that BBG develop policies and procedures to ensure that it\nappropriately implements all tax requirements for contractors, including documenting BBG\xe2\x80\x99s\nworking relationship with its contractors.\n\n\n\n                                                 1\n\n\x0c                                                                                                 Appendix A\n\n\n2. American Payroll \xe2\x80\x93 Time and Attendance\n\nWe performed tests of the controls over BBG\xe2\x80\x99s time and attendance (T&A) approval and\nprocessing procedures related to its American payroll. Testing results indicated that 13 of the 45\ntimesheet records sampled did not contain evidence of approval by either a supervisor or\ntimekeeper.\n\nBBG\xe2\x80\x99s policy regarding the approval of T&A reports, as presented in the Broadcasting\nAdministrative Manual, requires that all T&A reports and other supporting documents be\nreviewed and approved by an authorized supervisor. The approval must be indicated either by\nhandwritten signature or an approved system that provides for an automated signature.\nAutomated approval must be made by entering designated codes into an automated system with\nappropriate safeguards to prevent unauthorized entry.\n\nBBG officials stated that the exceptions identified occurred because, in the absence of the\ndesignated timekeepers, backup timekeepers did not enforce the required procedures.\n\nA weak control environment over T&A records increases the potential for fraud and employee\nabuse. Without adequate enforcement of proper T&A approval by responsible personnel, the\npotential for employees to be compensated for hours not worked or to receive unearned benefits\nincreases.\n\nWe recommend that the Broadcasting Board of Governors strengthen its controls over time and\nattendance reporting by conducting timekeeping refresher training for all personnel responsible\nfor approving timekeeping records (that is, timekeepers, backup timekeepers, and supervisors) to\nensure that approvals are documented according to the internal control procedures detailed in\nthe Broadcasting Administrative Manual.\n\n3. Information Technology Security\n\nBBG\xe2\x80\x99s information technology (IT) internal control structure for general support systems was\nnot adequate. The Department of State and BBG\xe2\x80\x99s Office of Inspector General (OIG) annually\nperforms an evaluation of the information security program\xe2\x80\x99s compliance as required by the\nFederal Information Security Management Act of 2002 (FISMA).1 Some of the concerns that\nOIG reported in the FISMA report related to general system controls that could impact the\nfinancial statements. Specific concerns are as follows:\n\n      \xef\x82\xb7    BBG did not complete the development of procedures and guidance that govern routine\n           and critical configuration management processes.\n      \xef\x82\xb7    BBG\xe2\x80\x99s user account management controls did not ensure that access was provided to\n           authorized personnel only; for instance, of 3,551 \xe2\x80\x9cactive\xe2\x80\x9d user accounts in Active\n           Directory:\n               o Ninety-three user accounts were not used for more than 90 days.\n               o Thirty-one user accounts did not require the use of a password.\n               o The passwords for 411 user accounts had not been changed for over 90 days.\n1\n    Audit of the Broadcasting Board of Governors Information Security Program (AUD-IT-IB-13-04, Nov. 2012).\n\n                                                        2\n\n\x0c                                                                                     Appendix A\n\n\n   \xef\x82\xb7\t BBG had not developed sanctions for employees and contractors who did not complete\n      the annual security awareness training course.\n   \xef\x82\xb7\t BBG\xe2\x80\x99s Plan of Action and Milestones did not consistently provide sufficient detail, such\n      as the resources required to address the security weaknesses, milestones used to measure\n      progress toward completion, and changes to milestones for corrective actions that were\n      not completed or past due.\n   \xef\x82\xb7\t BBG did not ensure that remote access was granted only to computers that had \n\n      implemented proper safeguards. \n\n\nWe also assessed IT general-system controls at the Voice of America (VOA) and the Office of\nCuba Broadcasting (OCB). Our assessment supported the findings reported in OIG\xe2\x80\x99s FISMA\nreport. Specifically, we found the following:\n\n   \xef\x82\xb7\t VOA could not provide a current network diagram that identified key devices or\n      configuration settings.\n   \xef\x82\xb7 OCB did not conduct annual cyber security awareness training for its users.\n   \xef\x82\xb7 OCB did not have a process to identify separated employees for the purpose of disabling\n      user accounts. OCB utilizes generic usernames and passwords for network workstations\n      in common areas, enabling multiple users to log in with the same username and\n      password.\n\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,\nRevision 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, requires that an organization develop, document, and maintain an inventory of\ninformation system components that accurately reflects the current information system; is\nconsistent with the authorization boundary of the information system; and is available for review\nand audit.\n\nThe NIST standard further requires that an organization establish usage restrictions and\nimplementation guidance for each allowed remote access method and develop a plan of action\nand milestones for the information system to document the organization\xe2\x80\x99s planned remedial\nactions to correct weaknesses or deficiencies noted during the assessment of the security controls\nand to reduce or eliminate known vulnerabilities in the system.\n\nThe NIST standard also requires that an organization facilitate the implementation of security\nawareness and training policies and associated security awareness and training and develop and\ndisseminate an organization-wide information security program plan that does the following:\n\n   \xef\x82\xb7\t Provides an overview of the requirements for the security program and a description of\n      the security program management controls and common controls in place or planned for\n      meeting those requirements.\n   \xef\x82\xb7\t Provides sufficient information about the program management controls and common\n      controls (including specification of parameters for any assignment and selection\n      operations either explicitly or by reference) to enable an implementation that is\n      unambiguously compliant with the intent of the plan and a determination of the risk to be\n      incurred if the plan is implemented as intended.\n\n                                                3\n\n\x0c                                                                                       Appendix A\n\n\n   \xef\x82\xb7\t Is approved by a senior official with responsibility and accountability for the risk being\n      incurred to organizational operations (including mission, functions, image, and\n      reputation), organizational assets, individuals, other organizations, and the Nation.\n\nIn addition, the NIST standard requires that an organization manage its information system\naccounts, including the following:\n\n   \xef\x82\xb7\t Identifying account types (that is, individual, group, system, application,\n      guest/anonymous, and temporary).\n   \xef\x82\xb7 Establishing conditions for group membership.\n   \xef\x82\xb7 Identifying authorized users of the information system and specifying access privileges.\n   \xef\x82\xb7 Requiring appropriate approvals for requests to establish accounts.\n   \xef\x82\xb7 Establishing, activating, modifying, disabling, and removing accounts.\n   \xef\x82\xb7 Specifically authorizing and monitoring the use of guest/anonymous and temporary\n      accounts.\n   \xef\x82\xb7\t Notifying account managers when temporary accounts are no longer required and when\n      information system users are terminated or transferred or when information system,\n      usage, or need-to-know/need-to-share changes.\n   \xef\x82\xb7\t Deactivating (i) temporary accounts that are no longer required and (ii) accounts of\n      terminated or transferred users.\n   \xef\x82\xb7\t Granting access to the system based on (i) a valid access authorization, (ii) intended\n      system usage, and (iii) other attributes as required by the organization or associated\n      missions/business functions.\n\nFurther, the NIST standard requires an organization to allow the use of group authenticators only\nin conjunction with an individual/unique authenticator and requires individuals to be\nauthenticated with an individual authenticator prior to using a group authenticator.\n\nIn general, we and OIG found that BBG had not implemented effective standards, policies,\nprocesses, and procedures over its information security program. Moreover, OCB was not\nrequired to comply with VOA IT requirements, but it had not implemented its own IT security\ncontrols. OIG\xe2\x80\x99s FISMA report includes detailed recommendations for BBG to implement in\norder to address the deficiencies noted.\n\nPoor controls over IT security can affect the integrity of financial reporting applications, which\nincreases the risk that sensitive information could be accessed by unauthorized individuals or\nthat financial transactions could be altered either accidentally or intentionally.\n\nWe recommend that the Broadcasting Board of Governors implement recommendations included\nin the Office of Inspector General\xe2\x80\x99s Federal Information Security Management Act report for FY\n2012.\n\n4.\t Reconciliation of Transactions Recorded in Suspense Accounts\n\nA suspense account is a temporary account used by agencies to record transactions with\ndiscrepancies until a determination is made on the proper disposition of the transaction. As of\n\n                                                 4\n\n\x0c                                                                                        Appendix A\n\n\nSeptember 30, 2012, BBG had a total of negative $396,857 recorded in suspense account F3875.\nOver 75 percent of that amount was over 60 days old and related to transactions from FY 2011\nand earlier.\n\nThe Treasury Financial Manual, Volume I, Bulletin No. 2011-06, \xe2\x80\x9cReporting Suspense Account\nActivity Using F3875 and F3885 and Using Default Accounts F3500 and F3502 as a\nGovernmentwide Accounting (GWA) Reporter,\xe2\x80\x9d requires the CFO to \xe2\x80\x9ccertify the balances in\nsuspense accounts F3875 and F3885\xe2\x80\x9d to the Department of the Treasury \xe2\x80\x9cannually, at yearend.\xe2\x80\x9d\nThe agency must also certify that the balances do not include any items or transactions more than\n60 days old. If there are transactions more than 60 days old, the agency \xe2\x80\x9cmust clearly explain the\nreason in the annual electronic certification.\xe2\x80\x9d\n\nBBG officials stated they were unable to reconcile and clear suspense account balances in a\ntimely manner because of resource limitations. Specifically, BBG officials stated that BBG had\nnumerous unfilled vacancies in its Division of Financial Operations.\n\nFailure to implement timely and effective suspense account reconciliation procedures could\naffect BBG\xe2\x80\x99s ability to effectively monitor budget execution and accurately measure the full cost\nof its programs.\n\nWe recommend that the Broadcasting Board of Governors temporarily focus resources on\nclearing suspense account transactions that are more than 60 days old, as required by the U.S.\nDepartment of the Treasury.\n\n5. Financial Reporting Process\n\nAlthough BBG complied with the Office of Management and Budget\xe2\x80\x99s (OMB) deadline to\nsubmit a draft Performance and Accountability Report (PAR) by November 1, 2012, BBG\xe2\x80\x99s\nfinancial reporting process was insufficient to prepare the final PAR in a sufficient or timely\nmanner. After we noted deficiencies with financial statement information included in the PAR,\nsuch as unreconciled balances and the use of an incorrect format for the Statement of Budgetary\nResources, BBG had to correct the financial data in multiple subsequent revisions to the financial\nstatements.\n\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, requires agencies to\nhave controls in place to ensure accurate financial reporting. Specifically, the circular requires\nagency management to establish and maintain internal controls to achieve the objectives of\neffective and efficient operations, reliable financial reporting, and compliance with applicable\nlaws and regulations.\n\nThe Government Accountability Office\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment states financial information is needed for both external and internal uses. The\nagency is required to develop financial statements for periodic external reporting and, on a day-\nto-day basis, to make operating decisions, monitor performance, and allocate resources.\n\n\n\n\n                                                 5\n\n\x0c                                                                                       Appendix A\n\n\nBBG did not have adequate processes or controls in place to support the preparation of the final\nfinancial statements to successfully meet year-end reporting deadlines. BBG had unfilled\nvacancies for key positions within the Office of the Chief Financial Officer. BBG\xe2\x80\x99s financial\nstatement compilation requires experienced and well-trained staff because of the significant\nnumber of manual entries and adjustments using Excel spreadsheets to ultimately populate the\nbalances within the financial statements.\n\nThe labor-intensive process was time-consuming and increased the likelihood of errors and\nomissions within the financial statements and left little time for management quality control\nprocedures. Furthermore, manual adjustments are prone to error and require an increased\nmeasure of internal control and review from management, making the financial reporting process\nless efficient. Because of financial reporting process issues, the end of fieldwork for the\nfinancial statement audit had to be postponed from November 1, 2012, until November 13, 2012.\nAlthough we were able to complete the audit opinion by the mandated deadline, the issues with\nfinancial reporting delayed the issuance of the audit opinion past agreed-upon deadlines.\n\nWe recommend that the Broadcasting Board of Governors implement processes and controls,\nincluding training for employees, to improve the timeliness and accuracy of its financial\nreporting process.\n\n6. Contingent Liabilities\n\nAs of September 30, 2012, BBG had made $3.8 million in settlement payments resulting from\njudgments against BBG. However, BBG had not reduced its contingent liability balance by the\namount of the payments.\n\nStatement of Federal Financial Accounting Standards No. 5, Accounting for Liabilities of the\nFederal Government, states that contingencies \xe2\x80\x9cshould be recognized as a liability when a past\ntransaction or event has occurred, a future outflow or other sacrifice of resources is probable, and\nthe related future outflow or sacrifice of resources is measurable.\xe2\x80\x9d Accordingly, the outflow or\nsacrifice of BBG\xe2\x80\x99s resources should be recognized as payments to reduce the liability.\n\nBBG was required to deposit funds into claimants\xe2\x80\x99 Thrift Savings Plan (TSP) accounts. Because\nthe Judgment Fund cannot make deposits directly into TSP, BBG disbursed funds to the TSP\naccounts and requested reimbursement from the Judgment Fund. BBG\xe2\x80\x99s policy is to record the\npayments to TSP as an advance. BBG does not reduce the contingent liability account until\nBBG is reimbursed from the Judgment Fund. As of September 30, 2012, BBG had not been\nreimbursed by the Judgment Fund for $3.8 million in funds transferred to TSP. Accordingly,\nBBG\xe2\x80\x99s contingent liabilities were overstated by $3.8 million.\n\nWe recommend that the Broadcasting Board of Governors (BBG) revise its procedures related to\nthe posting of transactions related to contingent liabilities. BBG should reduce its liability once\npayments are made into the Thrift Savings Plan relief accounts and establish an accounts\nreceivable for pending reimbursements from the Judgment Fund.\n\n\n\n\n                                                 6\n\n\x0c                                                                                               Appendix A\n\n\n7. Statement of Net Cost \xe2\x80\x93 Indirect Cost Allocation\n\nBBG did not allocate indirect costs to its major programs based on current year data and\nactivities. BBG allocated indirect costs based on ratios that were intended to equitably distribute\ncosts to benefiting programs. For example, certain administrative costs were distributed on the\nbasis of the number of staff, while engineering costs were distributed based on the number of\ntransmission hours. Although we determined BBG\xe2\x80\x99s indirect cost allocation methodology to be\nappropriate, the underlying data used to calculate the ratios was based on information and\nactivities from FY 2010.\n\nStatement of Federal Financial Accounting Standards No. 4, Managerial Cost Accounting\nStandards and Concepts states: \xe2\x80\x9cEach reporting entity should accumulate and report the cost of\nits activities on a regular basis for management information purposes. Cost information is\nessential to effective financial management and should play an important role in federal financial\nreporting. Managerial cost accounting processes are the means of providing cost information in\nan efficient and reliable manner on a continuing basis.\xe2\x80\x9d\n\nThe standard further states:\n\n        To perform managerial cost accounting on a \xe2\x80\x9cregular basis\xe2\x80\x9d means that entities\n        should establish procedures to accumulate and report costs continuously,\n        routinely, and consistently for management information purposes. Consistent\n        and regular cost accounting is needed to meet the second objective of federal\n        financial reporting which states information should be provided to help the user\n        determine the costs of providing specific programs and activities and the\n        composition of, and changes in those costs.\n\nBBG policies and procedures do not require annual updates to the ratios used in allocating\nindirect costs. At the beginning of each fiscal year, the Chief Financial Officer reviews the\nallocations to determine whether they remain applicable to the current year based on anticipated\nactivities. Although the total net cost presented in BBG\xe2\x80\x99s FY 2012 Statement of Net Cost was\nfairly stated, the totals related to individual programs did not accurately represent the full cost of\nthe programs.\n\nWe recommend that the Broadcasting Board of Governors calculate indirect cost allocation\nratios based on current year operations.\n\n                             Prior Year Management Letter Comments\n\nDuring the audit of BBG\xe2\x80\x99s FY 2011 financial statements, we identified matters that we reported\nin a management letter.2 As a result of additional work performed during the audit of the FY\n2012 financial statements, we did not include some of the prior observations in the current\nmanagement letter. Some of the observations identified during the FY 2011 audit remain open.\nThe statuses of the FY 2011 findings are presented in Table 1.\n\n2\n Management Letter Related to the Audit of the Broadcasting Board of Governors 2011 and 2010 Financial\nStatements (AUD/IB-12-08, Feb. 2012).\n\n                                                      7\n\n\x0c                                                                                     Appendix A\n\n\n\nTable 1. Statuses of Observations From the FY 2011 Management Letter\n\n Observation                                                   FY 2012\n                           FY 2011 Observation                                  Comment\n  Number                                                        Status\n\n1. Information   The annual Federal Information Security        Open     See observation 3.\n    Security     Management Act report stated that\n                 BBG did not fully comply with some\n                 statutory provisions and implementing\n                 regulations.\n\n\n2. Fund          Unreconciled differences were not being       Closed    BBG implemented\n   Balance       cleared in a timely manner.                             procedures to reconcile\n   with                                                                  all differences within 2\n   Treasury                                                              months of occurrence.\n\n\n3. Accounts      Qualifying debts were not referred to the     Closed    No instances of\n   Receivable    Treasury Offset Program.                                noncompliance with the\n                                                                         Debt Collection\n                                                                         Improvement Act of 1996\n                                                                         were identified during the\n                                                                         audit.\n\n\n4. Non-          BBG did not have a sufficient process to       Open     Reported as a significant\n  Personnel      ensure that all costs were recorded in the              deficiency in the audit\n  Expenses       correct period or properly accrued at year-             report.\n  and            end.\n  Accounts\n  Payable\n  Accrual\n\n\n5. Accounts      Overseas accounts payable transactions        Closed    The impact of this finding\n  Payable        were not recorded to the correct account.               would not be material to\n                                                                         the financial statements.\n\n\n\n\n                                                    8\n\n\x0c                                                                                                       Appendix B\n\n\n\n\n                                                                                            50-;1...\n\n\n\n\n                                                                                        \xe2\x80\xa2\nBroaticasling Board ofGovemoa                                                            \', 7" , \'.    <\n\nINTERl~A TIOKAL B ROADCASTING              BUREAU\n                                                                                           .\n                                                                         JAN 3 0 2013\n\nMr. Harold W. Geisel\nDeputy Inspector General\nOffice of Inspector General\nDepartment of State\n\n\nDear Mr. Geisel:\n\nThis is in response to your request for comments on the draft management letter related to the\naudit of the Broadcasting Board of Governors\' 2012 and 20ll financial statements. We have\nreviewed the observations and conclusiolls of the independent contractor, Clarke Leiper, PLLC,\nand in the enclosure provide responses to each of the issues identified by the auditors.\n\nI assure you that we take the recommendations seriously and will monitor the progress made to\naddress each recommendation.\n\nThank you for the opportunity to respond. If you have any questions, please feel free to contact\n                                 (b)(2)(b)(6)\nMs. Barbara Tripp at (202) 203                or Ms. Kelu Chao, Director, lEB Office or Performance\n                   (b)(2)(b)(6)\nReview at (202) 203            .\n\n                                             Si~rely,\n\n\n\n\nEnclosure: As Stated\n\n\n\n\n                                                           Washingl<l". DC 20237\n\n\n\n\n                                                 9\n\n\x0c                                                                                                       Appendix B\n\n\n\n\n                                                                                        Enc:losure\n\n                          Broadcasting Board or Governors Response\n                                Audit of Financial Statements\n                                September 30, lOll and 2011\n\n\n\n                    BBG Responses to the Audit Observations and Conclusions\n\n\n1. Personal Services Contractors Employment Taxes (new)\n\n     Audit Recommendation: Clarke Leiper recommends that the Broadcasting Board of\n     Governor.f (BBG) take action to address any recommendations receivedfrom the Internal\n     Revenue Service. Addi/iorw.lly, if the Internal RevenlU Service detennines thaI an employer\xc2\xad\n     employee relationship exists berween BBG and the contractors. we recommend that BBG\n     develop policies and procedures to ensure IMt it appropriately implements all tax\n     requirements lor contractors, including documenting BBG \'s working relatiollJhip with its\n     contractors.\n\n     BBG Resoonsc: The Broadcasting Board of Governors (BBG) concurs that it will address\n     any ttCOmmendalions from the IRS regarding employer lax withholding once the\n     examination is concluded.. We IIQ(e, however, thai the IRS raised this issue regardi ng most of\n     our independent contractors after receiving misinfonnation from an agency official who did\n     not have direct knowledge of the types of services procured by BBG nor the contractual\n     relationshlp with certain contractors. Accordingly, we believe the number of contraCtors who\n     may be classified as employees for tax purposes is gfClluy exaggerated. We will r.:onLinue to\n     work with IRS in the coming year to provide more accurate information so that this issue\n     may be resolved.\n\n\n2.   American PayroU Time and Attendance\n     Audit Recommendation: Clarlre Leiper recommends that the Broadc(lj\xc2\xb7ting Board of\n     Governors strengthen its controls over time and attendance reporting by condll.cting\n     timekeeping refresher training/or all personnel responsible lor approving timekeeping\n     records (i.e., limelreepers, backup timekeepers, and supervisors) to erl.$ure that time and\n     attendance record approvals are documented according 10 the internal control proced.ures\n     detailed in the Broadcasting Administranon Manual.\n\n     BBG Resoonse: The BBG has begun strengthening its conuols over time and attendance\n     reporting by conducting timekeeping refresher training for personnel responsible for\n     timekeeping records (i.e., timekeepers, backup timekeepers, and supervisors). In addition,\n     BBG is r.xploring ways to automate time Ilnd attendance, which will also strengthen controls\n     over approvals and record keeping.\n\n\n\n\n                                                 10\n\x0c                                                                                                    Appendix B\n\n\n\n\n3. Infnrmation Security (email sent to Andre and Terry)\n\n   Audit Recommendation: Clnrke u iper reC(JmmLnds that tilt! Broadcasting Board of\n   Gollt!m ors implement tilt! "commendations included in Ihe Office of Inspector Cknual\'s\n   Federol lnformotion Security MfJJUJge~nl Act report for FY 1012.\n\n   BBG ResJ)2nse: The BBG concurs that the Agency should implement the recommendations\n   included in the OIG F1SMA audit for FY 2012. SecUIe Information Tecbnology (IT)\n   systems are vital for safeguarding the broadcast mission of the Agency. All\n   recommendations in the subject 010 report are currently being addressed and on schedule for\n   implementation. The BBG\'s Chief lnfonnation Officer (CIO) will oversee the development\n   of procedures to ensure that security controls are properly managed and mainlained for all IT\n   systems with direct access to the BBG network. The BBG bas increased investments in\n   intema1 and offsitc systems to be used for business continuity and the development of\n   contingency plans. To support and lead the.-.e critical efforts. the CIO has hired a Disaster\n   Recovery and Business Continuity (DRlBC) Manager. The DRlBC Manager has begun\n   analpjng tile various IT systems and procedures to gauge the impact on the Agency should\n   systems become inoperable or the envllooment becomes unavailable. At this time, both\n   additional server and storage systems specifically intended [ 0 provide DRlBC capabilities for\n   BBG are on site in Washington. D.C. Upon completion of configuration and testing, the\n   systems will be shipped to Prague for installation.\n\n   In tile past several months, the BBO has made substantial progress in addressing many IT\n   system~ controls. The BBG has installed, configured, and populated an inventory\n   management tool as weI! as establishing policies and workflows for use. has implemented\n   change management procedures, has greatly expanded its data backup and retrieval\n   processes. bas developed and implemented pohcles and procedures for Plan of Actions and\n   Milestones (fOAM), has ensured adherence to password reset polic ie.~ and procedures. has\n   brought compliance to end-user participation in mandatory Security Awareness Training.to\n   100%, which includes the Office of Cuba Broadcasting (OCB) and has instituted strict\n   disciplinary measures for non-compliance, and has reviewed the BBG Incident Response\n   Policy to align with guidance from the National Institutc of Standards and Technology\n   (NlST).\n\n   The eTO will attempt to strengthen the IT security controls over all Federal BBO elements\n   that connect to the BBO\'s Wide Area Network (WAN). These BBG Federal elements\n   include the International Broadcasting Bureau, the Office of Cuba Broadcasting, and the\n   Voice of America. At this time. the BBG is circulating foc comments an Agency-wide policy\n   that reinforces the role of the CIO in addressing risk management processes and procedures\n   as recommended by the NIST. If full compliance cannol be met, compensating controls will\n   be put in place to ensure an acceptable risk level for the BBG. The: CIO will continue: to\n   assess progress.\n\n\n\n\n                                               11\n\x0c                                                                                                      Appendix B\n\n\n\n\n4. RecQndliatjop Qf rr.l n ~aclions Recorded in SUl>nen.<;e Accounts\n\n   Audit Recommendation: Clarke Leiper recommends that BBG temporarily focus resources\n   on clearing suspense acCOUllt transactions tha.t are more than 60 days old at required by the\n   U.S. Dcparrmenr 0/ llu! Treasury.\n\n   BBG Response: Budgeting and resource constraints continue to hamper BBG\'s ability to\n   quickly resolve historicaltrartsactions while main taining critical a.ctivilies 10 ensure smooth\n   mission operati ons. A.~ workload allows, BBG will focus resources to reconci le suspen~\n   aa;:ount transactions that are more than 60 days old.\n\n\n5, Financial   R~portin!1;   Procc...s\n\n   Audit Recommendation: Clarke Leiper recommends thal the Broadcasting Boord of\n   Governors impiemem processes and controls, including training/or employees, to impro~\n   lhe timeliness and aCcu.racy of ilsjinancial reponing process.                     .\n\n   BBG Response: The BBG agrees that vacancies in key positions and the manual process\n   hampered our ability to prepare and review the financial statements efficientJy. Howe ver,\n   even with these hindrances, the financial statements are accurate and complete. Although the\n   report ing team was short-staffed, the team was well-trained and did an admirable job in\n   executing the excessively manual process. which enabled BBG to meet the OMS reporting\n   deadlines. It should be noted that the dates mentioned within the finding were internal\n   agency deadlines and not .s pecifically mandated by law or regulation.\n\n   BBG concurs that the manual, labor\xc2\xb7intensive, and time-consumlng hnanc laJ statemen t\n   process could be improved through automation and filling key vacanc:ies. BBG has already\n   made progress resolving this rmding by successfully upgrading the financial management\n   system during October 2012. This oewer version of the system should allow the production\n   of the annual financial statements directly from the financial management system with\n   increlllied controls and timeliness and eliminate the manual proces~.\n\n\n6. Contingent Li3bilities\n\n   Audit Recommendation: Clarke Leiper recommends that the Broadcdftjng Boord of\n   Govenwrs (BBG) revise its procedures refaud to the posting of transacti()flS related to\n   contingmt liabilities. BBG should reduce its liabi/iry once payments are made into the Thrift\n   Savings Plan relief accounts and utablish an accOUllts receivable/or pending\n   reimbursements from the Judgment Fund.\n\n   BBG ReSPOnse: In accordance wilh accountin g standards, BBG agrees that contingeot\n   liabilities should be reduced and the corresponding imputed benefits be recognized (as\n   applicable:) when payments bave beeD made 10 the claimants. This recommendation re lates\n\n\n\n\n                                                 12\n\x0c                                                                                                       Appendix B\n\n\n\n\n   to a particular arrangement for a unique legal case assened against the U.S. Infonnation\n   Agency m ore than 2 decades ago, Hnd the payment of tile final rewlulion of those claims\n   follow the law applicable at that time. BBG believes the current posting sequencing\n   developed for reporting the contingent liabilities for this panicutar case, bener reflects the\n   general rules for contingent liabilities arising from litigation that is ultimately paid from the\n   Judgment Fund. Accordingly, BBG does not eJlpcct to revise its procedures for reporting this\n   particular contingent liability.\n\n   In typical cases where the l udgment Fund paid claimants directly, a federal agency would not\n   reduce a contingent liability against a direct appropriation account until it confmns that\n   Treasury paid the claimants from tbe ludgment Fund. At the same time, the agency would\n   record any imputed benefits. Here, tbe Judgment Fund cannot pay the claimunt\'s direcUy,\n   and $3.8 million in settlement "payments" that were deposited into the TSP accounts of\n   claimants came from deposit fund X6276\xc2\xb7 OIlier F~d\xc2\xa3ral Payroll Withholding, Allotm.~ms\n   Deposit fund X6276 is not one of BBG\'s direct appropriation fund symbols. In essence,\n   there has been no "outflow" of BBG resources to trigger the liabilities reduction. The\n   reimbursement from the ludgment Fund replenishes the negative cash in deposit fund X6276.\n   Similar to the payment of claimants directly in typical litigation, the Judgment Fund\'s\n   reimbursement to Fund X6276 should be the lriggering event for reducing contingent\n   liabilities and recognizing imputed benefits.\n\n\n7. Statement of Net Costs Indirect Cost Allocation\n\n   Audit RecollUIlCndation:   Clo.rk~   Leiper recommends thor the Broadcasting Board oj\n   GovtmbTS calculate indir~ct   cost allocation ratios bo.s~d on curr~nl ~ar operations.\n\n   BBG Response;: The BBG will review [he current methodology and perform analysis to\n   determine the op(imai indirect cost allocation approach for the preparation of the Statement\n   of Net Cost.\n\n\n\n\n                                                 13\n\x0c'